CVSS: 10.0EPSS: 94%CPEs: 16EXPL: 60CVE-2022-22947 – VMware Spring Cloud Gateway Code Injection Vulnerability
https://notcve.org/view.php?id=CVE-2022-22947
03 Mar 2022 — In spring cloud gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote execution on the remote host. En spring cloud gateway versiones anteriores a 3.1.1+ y a 3.0.7+ , las aplicaciones son vulnerables a un ataque de inyección de código cuando el endpoint del Actuador de la Puerta de Enlace está habilit... • https://packetstorm.news/files/id/166219 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-22051
https://notcve.org/view.php?id=CVE-2021-22051
08 Nov 2021 — Applications using Spring Cloud Gateway are vulnerable to specifically crafted requests that could make an extra request on downstream services. Users of affected versions should apply the following mitigation: 3.0.x users should upgrade to 3.0.5+, 2.2.x users should upgrade to 2.2.10.RELEASE or newer. Las aplicaciones que usan Spring Cloud Gateway son vulnerables a unas peticiones específicamente diseñadas que podrían hacer una petición extra en los servicios posteriores. Los usuarios de las versiones afec... • https://tanzu.vmware.com/security/cve-2021-22051 • CWE-863: Incorrect Authorization •